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Abstract 

We indicate a strategy in order to construct bilinear multiplication al- 
gorithms of type Chudnovsky in large extensions of any finite field. In 
particular, by using the symmetric version of the generalization of Randri- 
ambololona specialized on the elliptic curves, we show that it is possible to 
construct such algorithms with low bilinear complexity. More precisely, 
if we only consider the Chudnovsky-type algorithms of type symmetric 
elliptic, we show that the symmetric bilinear complexity of these algo- 
rithms is in O(n(2q) log ? (n) ) where n corresponds to the extension degree, 
and log*(n) is the iterated logarithm. Moreover, we show that the con- 
struction of such algorithms can be done in time polynomial in n. Finally, 
applying this method we present the effective construction, step by step, 
of such an algorithm of multiplication in the finite field F357 . 

Keywords: Elliptic function fields, multiplication algorithm, tensor rank. 

1 Introduction 



A growing number of applications, such as asymmetric cryptography, make use 
of big integer arithmetic. In this context, it is important to conceive and de- 
velop efficient arithmetic algorithms combined with an optimal implementation 
method. Accelerating basic arithmetic operations can provide efficient arith- 
metic algorithms and thus, can make faster a protocol which executes a lot of 
multiplications. This situation typically occurs when considering cryptographic 
protocols. In this paper, we only care about the multiplication operation. There 
exist numerous multplication algorithms in the literature, examples are Karat- 
suba's algorithm for polynomial multiplication, Toom-Cook's algorithm for large 
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integer multiplication, but also Strassen's algorithm for matrix multiplication. 
In this article, we are interested in multiplication algorithms in any exten- 
sion of finite fields, in particular the focus is on the Chudnovsky-Chudnovsky 
method [20]. This method, based on interpolation on algebraic curves defined 
over a finite field allows us to obtain multiplication algorithms with low bilinear 
complexity. Our objective is to construct explicitely such multiplication algo- 
rithms for large finite extensions of finite fields. The Chudnovsky-Chudnovsky 
method and its variants have been extensively studied these last years through 
the work of Shparlinsky, Tsfasmann, Vladut [33], Baum and Shokrollahi [11], 
Ballet- and Rolland [9], [10], Chaumine [18], Arnaud [1], Cenk-Ozbudak [17] and 
Cascudo, Cramer, Xing and Yang [14], and recently Randriambololona [29]. In- 
deed, the studies on the subject are of both theoretical and practical importance: 
theoretically, the bilinear complexity is linked to the tensor rank and in practice, 
it is related to the number of gates in an electronic circuit. However, most of 
the work focused on the improvement of the bounds on the bilinear complexity 
and the theoretical aspects of the Chudnovsky-type algorithms (in particular 
the underlying geometry of Riemann-Roch spaces). 

1.1 Multiplication algorithm and tensor rank 

Let ¥ q be a finite field where q is a prime power, ¥ q n is the degree n extension 
of ¥ q and (ei, . . . , e n ) denotes a basis of ¥ qn over ¥ q . We define for two elements 
of ¥ qn 

n n 

X = x l e i and Y = ^ y l e i , 

i=l i=l 

the complexity of multiplication of ¥ q n over F g as the number of elementary op- 
erations needed to obtain the product X.Y in F g ™, where elementary operations 
are: 

1. Addition: (a, b) \-t a + b, with a,b £ ¥ q . 

2. Scalar multiplication: i 4 c.i, with c, x £ ¥ q . 

3. Bilinear multiplication: (a, b) t— > a.b, with a, b £ ¥ q . 

In this paper, we focus on the construction of algorithms realizing the multipli- 
cation in extensions of finite fields with a minimal number (called bilinear com- 
plexity) of two-variable multiplications (called bilinear multiplications) without 
considering the other operations as multiplications by a constant (called scalar 
multiplications). More precisely, let us recall the notions of multiplication algo- 
rithm and associated bilinear complexity in terms of tensor rank. 

Definition 1.1. Let K be a field, and E Q , . . . , E s be finite dimensional k-vector 
spaces. A non zero element t £ Eq <E> • • • C3> E s is said to be an elementary tensor, 
or a tensor of rank 1, if it can be written in the form t = eo (8) • • • <§5 e s for some 
£ Ei . More generally, the rank of an arbitrary t £ Eq (8) • • • ® E s is defined as 
the minimal length of a decomposition of t as a sum of elementary tensors. 
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Definition 1.2. // 

a : Ei x • • • x E s — > E a 

is an s-linear map, the s-linear complexity of a is defined as the tensor rank of 
the element 

&£E ®E^ ®---®E^ 

where E^ denotes the dual of Ei as vector space over K for any integer i, 
naturally deduced from a. In particular, the 2-linear complexity is called the 
bilinear complexity. 

Definition 1.3. Let A be a finite- dimensional K -algebra. We denote by 

the bilinear complexity of the multiplication map 

uia '■ Ax A — > A 

considered as a K -bilinear map. 

In particular, if A = ¥ q n and K = ¥ q , we let: 

f, q (n)=fi(W q n/¥ q ). 

More concretely, fi(A/K) is the smallest integer n such that there exist linear 
forms <j>i, . . . , (f) n and ip\ , . . . , ip n : A — > K, and elements uii, . . . , w n G A, 
such that for all x, y £ A one has 

xy = (p 1 (x)ipi(y)wi H h (/) n (x)ip n (y)w n , (1) 

since such an expression is the same thing as a decomposition 

n 

T M = ® & ® ^ e A® A® A v . (2) 

for the multiplication tensor of A. 

Definition 1.4. We call multiplication algorithm of length n for A/K a collec- 
tion of (f>i,ipi,Wi that satisfy (1) or equivantly a tensor decomposition 

n 

T M = ^2wi<g> fa® ipi £ A® A® A y 
i=i 

for the multiplication tensor of A. Such an algorithm is said symmetric if 
4>i = V'i f or a M ' (this can happen only if A is commutative) . 

Hence, when A is commutative, it is interesting to study the minimal length of 
a symmetric multiplication algorithm. 

Definition 1.5. If A is a finite- dimensional K -algebra. The symmetric bilinear 
complexity 

fi sym (A/K) 

is the minimal length of a symmetric multiplication algorithm. 
In particular, if A — ¥ q n and K — ¥ q , we let: 

ti q y m (n)= f , s v m (¥ gn /¥ q ). 
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1.2 Known results 



Let us recall some classical known results. In their seminal papers, Wino- 
grad [38] and De Groote [22] have shown that /u(F g n /¥ q ) > 2n — 1, with equality 
holding if and only if n < |<? + 1. Winograd have also proved [38] that opti- 
mal multiplication algorithms realizing the lower bound belong to the class of 
interpolation algorithms. Later, generalizing interpolation algorithms on the 
projective line over ¥ q to algebraic curves of higher genus over ¥ q , Chudnovsky 
and Chudnovsky provided a method [20] which enabled to prove the linearity [2] 
of the bilinear complexity of multiplication in finite extensions of a finite field. 
Moreover, they proposed the first known multiplication algorithm using interpo- 
lation to algebraic function fields (of one variable) over ¥ q . This is the so-called 
Chudnovsky and Chudnovsky algorithm, also called Chudnovsky algorithm to 
simplify. Then, several studies will focus on the qualitative improvement of 
this algorithm (for example [9], [1], [17], [29]) as well as the improvements of 
upper bounds (for example [10], [8]) and asymptotic upper bounds (for exam- 
ple [33], [14]) of the bilinear complexity. However, few studies have been devoted 
to the effective construction of Chudnovsky-type algorithms, and in particular 
no work has been done when the degree of extensions reach cryptographic size. 
Indeed, the first known effective finite fields multiplication through interpola- 
tion on algebraic curves was proposed by Shokrollahi and Baum [11]. They 
used the Fermat curve a; 3 + y 3 = 1 to construct multiplication algorithm over 
F 4 4 with 8 bilinear multiplications. In [3], Ballet proposed one over Fi6i where 
n £ [13, 14, 15], using the hyperelliptic curve y 2 + y = x 5 with 2n + 1 bilin- 
ear multiplications. Notice that these aforementioned two algorithms only used 
rational points, and multiplicity equals to one. Recently Cenk and Ozbudak 
proposed in [17] an explicit multiplication algorithm in F 3 9 with 26 bilinear 
multiplications. To this end, they used the elliptic curve y 2 = x 3 + x + 2 with 
points of higher degree and higher multiplicity. 

1.3 Organization of the paper and new results 

In Section 2, we fix the notation and we recall the different versions of Chudnovsky- 
type algorithms. Then in Section 3, we present a strategy in order to construct 
multiplication algorithms of type Chudnovsky in arbitrary large extensions of 
finite fields. In particular, we show that from an elliptic curve defined over 
any finite field ¥ q , we can exhibit a symmetric version of the generalization of 
Randriambololona (specialized on the elliptic curves) for any extension of ¥ q of 
degree n, with low bilinear complexity. More precisely, if we only consider the 
Chudnovsky-type algorithms of type symmetric elliptic, we show that the sym- 
metric bilinear complexity of these algorithms is in 0(n(2g) 1 <(™)). Even if this 
asymptotical complexity is quasi-linear, it has the advantage to be derivated 
from an infinite family of symmetric algorithms with a fixed genus equals to 
one, which corresponds to the specificity of our strategy in contrast to the usual 
strategy. Consequently, fixing the genus to one allows us to control the complex- 
ity of the construction, meaning that for finite fields of cryptographic size, one 
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can construct in a reasonable time such algorithms. Indeed, we prove that the 
complexity of the construction of symmetric elliptic algorithms is in time poly- 
nomial in n. In fact, this is not at all the case of the usual strategy based upon 
the construction of algorithms with growing genus since the complexity of such 
a construction is not known because of the problem of the explicit construction 
of high degree points [33, Section 4, Remarks 5]. Finally in section 4, we present 
new upper bounds for large extensions of F2 and F3, and we also propose the 
effective construction, step by step, of an algorithm of multiplication in F357. 

2 Multiplication algorithms of type Chudnovsky 

We start with some elementary terminology and results of algebraic function 
fields. A comprehensive course of the subject can be found in [34]. 

2.1 Notation 

An algebraic function field F/¥ q of one variable over ¥ q is an extension field 
FDF, such that F is a finite extension of ¥ q (x) for some element x G F which 
is transcendental over ¥ q . A valuation ring of the function field F/¥ q is a ring 
O C F such that ¥ q (Z O C F and for any z G F, either z G O or z" 1 G O. A 
place P of the function field F/¥ q is the maximal ideal of some valuation ring 
O of F/¥ q . If O is a valuation ring of F/¥ q and P is its maximal ideal, then O 
is uniquely determined by P hence we denote O by Op. Every place P can be 
written as P = tOp, where t is the local parameter for P. We will denote the 
set of all places of F/¥ q as Pp. For a place P, Fp := Op / P is called the residue 
class field of P. The map x — > x{P) from F to FpU{oo} is called the residue class 
map with respect to P. The degree of P is defined by [Fp : ¥ q ] := deg P. The free 
abelian group which is generated by the places of F/¥ q is called the divisor group 
of F/¥ q and it is denoted by so a divisor is a formal sum D = J2per F n pP> 
with np G Z almost all np = 0, of degree deg(Z?) = X)p<=p F vp(D). degP where 
vp is a discrete valuation associated to the place P. The support of a divisor D 
denoted supp D is the set of places P with vp(D) 7^ 0. For a function / £ F/¥ q , 
we denote by (/) = J^Per v p{J)-P t ne principal divisor of /. If I? is a divisor 
then ££{D) = {/ G F \ D + (/) > 0} U {0} is the Riemann-Roch space which 
is a F g -vector space. The integer £(D) = dimJzf(D) is called the dimension of 
D and i(D) = dim£> — degD + g — 1 is the index of speciality of D. We say 
that D is non-special if i(D) = and special otherwise. 

2.2 Original Algorithm of Chudnovsky 

We are now able to state the original Chudnovsky algorithm [20] and its recent 
improvements. 

Theorem 2.1. Let 
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• F/Wq be an algebraic function field of one variable, 

• Q be a degree n place of F/¥ q , 

• D be a divisor of F/¥ q , 

• P = {Pi, . . . , Pn} be a set of rational places. 

We suppose that supp D n {Q, Pi, ... , Pn} 
A— The application 

Ev Q : JSf (D) 
/ 

is surjective. 
B— The application 

Ev v : _Sf(2£>) 
/ 

is infective. 
Then 

f i sym (¥ qn /¥ q ) <N. 

A drawback of this algorithm is that it only uses rational points. Moreover, 
finding sufficiently rational points and suitable divisors such that evaluation 
maps are surjective and injective is either a difficult task, or even impossible. 
Consequently, some researchers proposed several improvements and variants 
that we present in the next section. 

2.3 Generalization of Arnaud and Cenk-Ozbudak 

In order to obtain good estimates for the bilinear complexity, S. Ballet gave 
in [2] some conditions easy to verify allowing the use of Chudnovsky algorithm. 
Then S. Ballet and R. Rolland generalized in [9] the original algorithm using 
places of degree 1 and 2. The best finalized version of this algorithm in this 
direction, is the generalization introduced by N. Arnaud in [1] and improved by 
M. Cenk and F. Ozbudak in [17]. This generalization uses several coefficients 
in the local expansion at each place Pi instead of just the first one. Due to 
the way to obtain the local expansion of a product from the local expansion of 
each term, the bound for the bilinear complexity involves the complexity notion 
M q (u) introduced by Cenk and Ozbudak in [17] and defined as follows: 

Definition 2.2. We denote by M q (u) the minimum number of multiplications 
needed in ¥ q in order to obtain coefficients of the product of two arbitrary u-term 
polynomials modulo x u in ¥ q [x] . 



id that: 
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(f(Pi),...,f(P N )) 
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For instance, we know that for all prime powers q, we have M q (2) < 3 by [16]. 
Now, we introduce the generalized algorithm of type Chudnovsky described 
in [17]. 

Theorem 2.3. Let 

• q be a prime power, 

• F/F q be an algebraic function field, 

• Q be a degree n place of F/¥ q , 

• 2? be a divisor of F/¥ q , 

• V = {Pi, . . . , -P/v} be a set of N places of arbitrary degree, 

• U\, . . . , un be positive integers. 

We suppose that Q and all the places in V are not in the support ofT> and that: 

a) the map 

' £(2?) -> ¥ q n ~ F Q 
f — > f(Q) 
is onto, 

b) the map 



Evq : 



Ev-p : 



£(22?) (V^f 1 x (V«^)" 2 x ' ' ' x ^ q «°*r») UN 



is infective, where the application ipi is defined by 



£(22?) 
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dcg P t 



f — > (f(p i ),f(pi),...,f^- 1 \pi)) 

with f = f(P l ) + f'(P t )U + f"(P i )tj + . . . + f( k )(P l )t>? + . . ^ e foca/ expansion 
at Pi of f in £(22?), respect to the local parameter t%. Note that we set 
/ (0) = /■ 
Then 

N 

i=l 

Remark that the original algorithm in [20] given by D.V. and G.V. Chudnovsky 
regards the particular case degP^ = 1 and Uj = 1 for i = 1, . . . , N. The first 
generalization introduced by S. Ballet and R. Rolland in [9] allows the use of 
place of degree one and two, more precisely it concerns the case deg Pi = 1 or 2 
and Ui = 1 for i = 1,...,N. Next, N. Arnaud introduced during his PhD [1], 
the use of derivative evaluation which provides refinement of bounds of bilinear 
complexity. His work concerns the case degP; = 1 or 2 and m = 1 or 2 for 
i = 1,...,N. Cenk and Ozbudak generalized in [17] Arnaud's work not only 
interpolating on places of arbitrary degree but also using derivative evaluation 
as desired. Thus less places of fixed degree are necessary to get the injectiv- 
ity and the surjectivity of both evaluation maps. However, they use separately 
the degree degP,; of a place Pi and its multiplicity M q {ui). Recently, Ran- 
driambololona introduced in [29] a new generalization of this algorithm which 
combine them. 
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2.4 Generalization of Randriambololona 



Randriambololoiia introduced in [29] a possibly asymmetric version of this al- 
gorithm. Furthermore, he introduced a new quantity fi q (degPi, Uj) to deal with 
both, the degree and the multiplicity, at the same time. 

Definition 2.4. For any integers n, I > 1 we consider the ¥ q -algebra of poly- 
nomials in one indeterminate with coefficients in ¥ q n , truncated at order I : 

A q (nJ)=¥ q , [t}/(t l ) 

of dimension 

dimr q A q (n 1 1) = nl, 

and we denote by 

fj, q {n,l) = fi(Ag(n,l)/Wq) 
its bilinear complexity over ¥ q and by 

(j, q y m (n,l) = » sym (A q (n,l)/¥ q ) 

its symmetric bilinear complexity over ¥ q . 

Note that when I = 1, we have fJ> q (n, 1) = fJ> q (n) which corresponds to the bi- 
linear complexity of multiplication in ¥ q n over ¥ q ; and when n = 1, we have 
jit g (l, I) = M q da g p; (Z) which represents the quantity defined by Cenk and Ozbu- 
dak [17]. Now, in order to make easier the presentation of Randriambololona's 
generalization, we choose to use the language of modern algebraic geometry 
emphasizing the geometric point of view even if everything could be equally 
expressed in the language of function fields in one indeterminate. Hence, by a 
thickened point in the algebraic curve X defined over ¥ q , we mean any closed 
subscheme of X supported on a closed point (of arbitrary degree). If Q is a 
closed point in X, we denote by Iq the sheaf of ideals defining it and for any 
integer I > 1, we let be the closed subscheme of X defined by the sheaf of 
ideals (Iq) 1 . Then Q™ is the thickened point supported on Q. If D is a divi- 
sor on X, we denote by C(D) = T(X,Ox{D)) its Riemann-Roch space. Then, 
we can present the generalization in [29] which corresponds to the asymmetric 
version of algorithm of type Chudnovsky. 

Theorem 2.5. Let C be a curve of genus g over ¥ q , and let n, I > 1 be two 
integers. Suppose that C admits a closed point Q of degree dcg'Q = n. Let G be 
an effective divisor on C, and write 

G = u\P\ + • • • + u N P N 

where the Pi are pairwise distinct closed points, of degree dcgP^ = di. Suppose 
there exist two divisors D\ , £>2 on C such that: 
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(i) The natural evaluation map 

N 

£(£>!+ D 2 ) -^\{Oc{D l +D 2 ) | w 

»=i 

is injective. 
(ii) The natural evaluation maps 

C(D X ) — ► OcfUi) | QU1 £(^2) — ► O c (Da) | Q[ i, 
are surjective. 

Then 

N 

Hq(n,l) < y^^n q (di,Ui). 
1=1 

In fact, we also have fi q (n,l) < /i(Hi=i <Aq(di,Ui)/¥ q ). Moreover, if D\ = D 2: 
all these inequalities also hold for the symmetric bilinear complexity \i sym . 
Sufficient numerical criteria for the hypotheses above to hold can be given as 
follows. A sufficient condition for the existence of Q of degree n on C is that 
2g + 1 < g(™ _1 )/ 2 (g 1 / 2 — 1), while sufficient conditions for (i) and (ii) are: 

(V) The divisor D± + D 2 — G is zero-dimensional: 

1{D 1 +D 2 -G)=Q. 

(ii') The divisors D\ — IQ and D 2 — IQ are non-special: 

i(D l -lQ) = i(D 2 -lQ) = Q. 

More precisely, (i) and (i 1 ) are equivalent, while (ii 1 ) only implies (ii) a priori. 

The improvement suggested by Randriambololona in relation with bilinear com- 
plexity leads to the following inequality 

H q (degPi,Ui) < fi q (degPi)M q d es Pi(ui)), 

where /i q (dcg Pi, 1) = (i q (dcg Pi) is the bilinear complexity of multiplication in 
F g dc g p 4 over ¥ q , and fi q (1, m) = M q &e g p { (ui) is the complexity previously defined 
in Definition 2.2. There exist examples where this inequality is strict, especially 
when we use places of higher degree with higher multiplicity. It is not the case 
in this paper. In fact, even if the formula ^ 9 (dcg Pi, m) is recursive, meaning 
that we can derive upper bounds, using places of higher degree with higher mul- 
tiplicity is more expensive than only use higher multiplicity with rational places. 
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Table 1: Bounds for /J, q (n) and M q (n) for 1 < n < 8, and q = 2,3. 



n 


1 


2 


3 


4 


5 


6 


7 


8 


/i 2 (n, 1) = /i 2 (n) 


1 


3 


6 


9 


13 


15 


22 


24 


/i 3 (n, 1) = /i 3 (n) 


1 


3 


6 


9 


12 


15 


19 


21 


M g (n) 


1 


3 


5 


8 


11 


15 


19 


24 



3 Construction of certain algorithms of type Chud- 
novsky 

3.1 Strategies of construction 

So far, the strategy to obtain upper bounds for bilinear complexity of multipli- 
cation in ¥ q n over F g , has always been to apply algorithms of type Chudnovsky 
on infinite families (specially some towers) of algebraic function fields defined 
over a fixed finite field ¥ q , with genus growing to infinity. More precisely, from 
a practical point of view, for any integer n, it consists in choosing the appro- 
priate algebraic function field in the family, namely the first one satisfying the 
conditions of Theorems 2.1, 2.3 or 2.5, in order to multiply in F q ™. This implies 
increasing the genus for few fixed degrees of places. Unfortunately this strategy 
has a weak point since growing the genus could hugely increase the complexity 
of the construction. However, there exists another strategy which corresponds 
to using the degree of freedom that remains: the degree of places. Technically, 
this approach consists in fixing the genus while increasing the degree of places. 
This new way, implied in the generalization of Arnaud and Cenk-Ozbudak, has 
never been investigated and requires introducing new complexity notions. 

Definition 3.1. For any integers n,l>l, and for the ¥ q -algebra 

A q (n,l) = F q „[t]/(t l ), 

let us set 

V q ,g(n, = nfin [i(A q (n, l)/¥ q ), 

where C is running over all curves of genus g over¥ q . Then l^q,g(n,l) is called 
the bilinear complexity over ¥ q of the ¥ q -algebra A q {n,l) when the genus g is 
fixed. We denote 

Vq,c( n > 1 ) = MA( n > /F g ), 

the bilinear complexity over ¥ q of the ¥ q -algebra A q {n,l) when the model of 
the curve of genus g is fixed. Quantities ^ y J™(n, Z) and fj, s q C (n,l) denote their 
associated symmetric bilinear complexity over ¥ q . 

Our purpose here is to develop this strategy in the case of elliptic function fields. 
The choice of algebraic curves of genus one was made for two main reasons: 
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1. First of all, because the effective construction of such elliptic algorithms 
can be completed within a reasonable time. More precisely, we prove 
that the complexity of the construction of a symmetric elliptic bilinear 
multiplication algorithm in ¥ q n is in time polynomial in n. 

2. Finally, elliptic curves are heavily used to construct cryptographic prim- 
itives. Indeed, using the same elliptic curve for both the multiplication 
and the cryptographic algorithms could improve the efficiency in secure 
embedded systems. 

3.2 Elliptic Chudnovsky algorithms 

In this section, we improve a result obtained by Randriambololona in [29, Propo- 
sition 4.3] which, setting the parameter I to 1, generalizes a result of Shokrol- 
lahi [32] and Chaumine [18]. 

Let C/F q be an elliptic curve defined over F g with a chosen point P^. The 
set C(F g ) of rational points over ¥ q admits a structure of finite abelian group 
with identity element P^ and a cardinal Ni(C(¥ q )). Moreover, there is a map 
a : Div{C) — > C(¥ q ) uniquely defined by the condition that each divisor D of 
degree d is linearly equivalent to the divisor a(D) + (d — l)Poo- This map a is 
a group morphism, it passes to linear equivalence, and induces an isomorphism 
of the degree class group Cl°(C). First, let us recall the result obtained by 
Randriambololona in [29, Proposition 4.3]. 

Proposition 3.2. Let C be an elliptic curve over¥ q , n be an integer. Suppose 
that C admits a closed point Q of degree n. Let G be an effective divisor on C, 
and write 

G = uiPi + • • • + unPn 
where Pi are pairwise distinct closed points, of degree deg Pi, so 

N 

degG = deg Pi. itj. 

i=l 

Then 

N 

ft q ,c(n, 1) < 22 [j, q (deg Pi, Ui), (3) 

i=l 

provided if one of the following conditions is satisfied: 

1. C admits at least three points of degree one and degG > 2n. 

2. C admits two points of degree one and degG > 2n, with o~(G) ^ Px,. 

3. C admits only two points of degree one and deg G > 2n + 1 . 
If.. C admits only one point of degree one and degG > 2n + 3. 
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The above result gives sufficient conditions to construct an elliptic bilinear al- 
gorithm of type Chudnovsky (cf. Theorem 2.5) from an elliptic curve C and 
from an effective divisor G on C. However, note that unlike the case of genus 
in [29, Proposition 4.2], it does not give sufficient conditions to construct a 
symmetric elliptic bilinear algorithm because of Assertion (1). We propose an 
improvement of this result in two points: 

• firstly, we give on the one hand sufficient conditions to construct symmetric 
algorithms, and on the other hand, we give explicit equations of elliptic 
curves which are more convenient that the above conditions. 

• Finally, our new result allows us to bound fiq t c{n, 1), not only with the 
best known bounds for fi q (dcgPi,Ui) as Theorem 3.2 suggests, but also 
with bounds for ^ 9j c(deg Pj, Ui) derivated from the same elliptic curve C. 

In order to achieve this, we need to know the number of 2-torsion points 
on divisor class group as signaled by Cascudo, Cramer and Xing in [15] (Cf. 
also [13, Chapter 9]) relatively to the proof of Claim in [33, Theorem 3.1]. In 
particular, we need to know it when the number of rational points of the elliptic 
curve E/W q defined over a finite field ¥ q of odd characteristic is equal to four. 
Note that if E denotes an elliptic curve defined over a field K, and f 6Z such 
that £ is prime with the characteristic of K, then the group of £-torsion points 
E[£] is isomorphic to J| x ^ but it holds on the algebraic closure. Hence, the 
only mean to precisely know the subgroup of ^-torsion points E q [£] over K (and 
not only an upper bound) is to know the structure of E(K). 

Lemma 3.3. Let q be a prime power with odd characteristic and let E/¥ q be an 
elliptic curve defined over ¥ q . Then the group E(¥ q ) of the ¥ q -rational points 
of E/¥ q is isomorphic to the finite abelian group G — J| x J|? in the following 
cases: 

1. 5 = 3 and E/¥ q admits the following equation up to isomorphism: 

y 2 + y + 2x 3 + x + 1 = 0. 

2. q = 5 and E/¥ q admits the following equation up to isomorphism: 

y 2 + 4x 3 + Ax = 0. 

3. q = 7 and E/¥ q admits the following equation up to isomorphism: 

y 2 + 6x 3 + 1 = 0. 

4- q = 9 and E/¥ q admits the following equation up to isomorphism: 
y 2 + (x + l)y + 2x 3 + x 2 + ax + 1 = 0, where F 9 = ¥ 3 (a). 
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Proof. Let Ni(E(¥ q )) denote the number of F q -rational points of the elliptic 
curve E defined over ¥ q . It is known that the number of F g -rational points of 
E/Fg is equal to Ni(E(¥ q )) = q + 1 — m where the integer m is the trace of 
the Frobenius which satisfies | m |< 2^/q. Hence, if Ni(E(¥ q )) = 4, the only 
concerned finite fields are F3, F5, F7, and F9. In this case, we have: m = if 
q = 3, m = 2 if q = 5, m = 4 if q = 7, and m = 6 if q = 9. Then, by Theorem 2.1 
in [36] (cf. also [35, Theorem 2.4.31]), if q ^ 3, E{¥ q ) is isomorphic to ^ x ^, 
else E(¥ q ) is either cyclic or isomorphic to ^ x J|. It is easy to chek that each 
above curves defined over the corresponding finite field has four rational points. 
Moreover, the curve y 2 + y + 2x 3 + x + 1 = defined over F3 is not cyclic. □ 

We start by stating the first of our three main results, namely Proposition 3.4 
which is an improvement of Proposition 3.2. Then, we prove in Theorem 3.6 
that our new Proposition 3.4 allows us to construct, asymptotically with respect 
to the integer n, multiplication algorithms with symmetric bilinear complexity 
in O(n(2q) loe i^). Finally, Theorem 3.9 shows that the complexity of the con- 
struction of such algorithms is in time polynomial in n. 

Proposition 3.4. Let q be a prime power and let C be an elliptic curve defined 
over ¥ q . Then, for any integer n such that n>7ifq = 2,n>4ifq = 3 
and n > 3 if q > 4, there exists a symmetric elliptic bilinear algorithm of type 
Theorem 2.5 constructed from the curve C and from an effective divisor 

G = u\P\ + • • • + unPn 

on C such that 

N 
i=l 

where the Pi are N pairwise distinct closed points, of degree degP^ = di, and 
the Ui are strictly positive integers, provided one of the following conditions is 
satisfied: 

a) the curve C admits one of the following equations up to isomorphism: 

y 2 + y + (x 3 + x + 1) = 0, if q = 2, 

y 2 - (x 3 + 2x + 2) = 0, if q = 3, 

y 2 + y + (x 3 + a) = 0, if q = 4 and F 4 = F 2 (a), 




Uidi > 2n + 3. 

b ) The curve C admits one of the following equations up to isomorphism: 

y 2 + xy + x 3 + x 2 + 1 = if q = 2, 
y 2 - (x 3 + 2x 2 +2)=0 if q = 3, 

y 2 + xy + (x 3 + ax 2 + 1) = if q = 4 and F 4 = F 2 (a), 
y 2 - (x 3 + 2x)=0 if q = 5, 
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and either 



or 

N 



N 



Uidi > 2n + 1 



Midi = 2n with o{G) ^ P^. 

i=i 

c) The curve C admits one of the following equations up to isomorphism: 

y 2 + y + 2x 3 + x + 1 = if q = 3, 
y 2 + Ax 3 + Ax = if q = 5, 
y 2 + 6x 3 + 1= if q = 7, 

y 2 + (as + l)y + 2x 3 + .t 2 + ax + 1 = if q = 9 and F 9 = F 3 (a), 



JY 



> 2n + 1. 



i=i 

d) The equation of the curve C is different from the above cases up to iso- 
morphism and 

N 

Uidi > 2n. 

i=i 

Particularly for q = 2, elliptic curves are 

y 2 + y + x 3 = 
y 2 + y + x 3 + x = 
y 2 + xy + x 3 + 1 = 0, 

and for q = 3, we obtain 

y 2 + 2x 3 + 2x = 
y 2 + 2x 3 + x + 2 = 
y 2 + 2x 3 + 2x 2 +2 = 
y 2 + 2x 3 + 2x 2 + 1 = 
y 2 + 2x 3 + x 2 + 2 = 0. 

Proof. To begin with, it is necessary to prove that for any q and any integer 
n > 3, there exists a closed point Q of degree n and a divisor D such that both 
evaluation maps, in a symmetric algorithm of type Theorem 2.5, are surjective 
and injective. For the sake of simplicity, we use the language of algebraic func- 
tion fields. It is well known, by Lemma 2.1 of [18], that for any integer n > 3 and 
for any prime power q > 4, all the elliptic function fields defined over ¥ q have 
at least a place Q of degree n. The cases q = 3 and q = 2 had still to be dealt 

■3 1/2 

with. For q = 3 and n > 4 and for q = 2 and n > 7, we have: n > 2log q ( ^ 1 q /2 _ 1 ), 
which proves that by [34, Corollary V.2.10 (c)[, there exists at least a place Q of 
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degree respectively n > 7 for q = 2 and n > 4 for q = 3 for any elliptic algebraic 
function field E/¥ q defined over ¥ q . Let us prove now that for any q and for 
any elliptic function field E/¥ q defined over ¥ q , there exists a divisor D such 
that we can construct a symmetric algorithm of type Theorem 2.5. 

• Proof of a). If Aq(C(F 9 )) = 1, we know by [26] and [27], that the elliptic 
solutions to the divisor class number one problem are given by the equa- 
tions of the case a). Moreover, as degG > 2n + 3, it is sufficient to take 
a divisor D = D± = Z?2 of degree n + 1 and conditions (i') and (ii') of 
Theorem 2.5 are trivially satisfied because respectively dcg(2Z? — G) < 
and deg(£> - Q) > 2g - 2 with g = 1. 

• Proof of b). If Ni(C(W q )) = 2, we know by [24] and [25] that the elliptic 
solutions to the divisor class number two problem are given by the equa- 
tions of the case b). Moreover, it does mean that there exists a divisor 1Z 
of degree zero which is not linearly equivalent to the divisor zero. Then 
by taking D = D\ = D2 = 1Z + Q, the condition (ii') of Theorem 2.5 
is satisfied. Moreover, it also means that the Jacobian of C/¥ q is of 2- 
torsion, so a {2D -G) = a {2D) + a{-G) = a{G). Then if a{G) ^ Poo and 
deg G = 2n, then 2D—G is not linearly equivalent to the divisor zero which 
proves that 2D — G is non special of degree zero and the condition (i') of 
Theorem 2.5 is satisfied. Else, degG > 2n + 1 and thus dcg(2D - G) < 
and 2D — G is trivially of dimension zero which implies the condition (i') 
and proves the case b). 

• Proof of c) and d). If Ni{C{¥ q )) > 3, it is sufficient to prove the follow- 
ing inequality by [13, Chapter 9] relatively to the proof of Claim in [33, 
Theorem 3.1](cf. also [15]): 

C(F fl )[2] + l< JVi(C(F g ) 

where C(F q )[2] denotes the number of 2-torsion rational points of the el- 
liptic curve C/¥ q . It is known that the number of 2-torsion points of 
an elliptic curve defined over a finite field ¥ q is at most four (cf. [37] 
and [36]). Hence the inequality is satisfied for any elliptic curve having 
at least six rational points. We discuss thereafter, particular cases where 
3 < N 1 {C{¥ q ) < 5. 

— If Ni{C{¥ q )) = 3 or 5, there is no nontrivial 2-torsion point and so 
C(F g ))[2] = 1 and the inequality is also satisfied. 

- If Ni{E/¥ q )) =4 and 

1 . if the characteristic of ¥ q is even, then by a general theorem of 
Weil (cf. [30, Theorem 11.12]) applied to elliptic abelian varieties, 
the number of 2-torsion points of an elliptic curve defined over a 
finite field ¥ q is at most two and the inequality is also satisfied. 

2. if the characteristic of ¥ q is odd, only all elliptic curves in Lemma 3.3 
admit four 2-torsion points and the inequality is not satisfied. 
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However, there exists a divisor 1Z of degree zero which is not 
linearly equivalent to divisor zero. Consequently, by taking D = 
D\ = D 2 = 1Z + Q, the condition (ii') of Theorem 2.5 is satisfied 
as well as the condition (i') since deg(2D — G) < 0, which gives 
c) and the proof is complete. 

□ 

Definition 3.5. The iterated logarithm of n, written log*(n) defined by the 
following recursive function: 

lo *(n) = I ° «/n < 1 

°Sq{ n ) ^ i _|_ log* (log (n)) otherwise, 

corresponds to the number of times the logarithm function must be iteratively 
applied to n before the result is less than or equal to 1. 

Theorem 3.6. Let q be a prime power and let C be an elliptic curve defined 
over F q . Then, for any integer n such that n > 7 if q = 2, n > 4 if q = 3 
and n > 3 if q > 4, there exists a symmetric elliptic bilinear algorithm of type 
Theorem 2.5 constructed from the curve C such that 

»7™(P) e 0(n(2g) 1 <C")). 

Notice that (2q) ios i^ is a very slowly growing function, as illustrated in Table 2. 



Table 2: Values for (2g) log » for q = 2 and n < 2 655 



n 


log*(n) 


(2g) log ^ 


(1,2] 


1 


4 


(2,4] 


2 


16 


(4, 16] 


3 


64 


(16,65536] 


4 


256 


(65536, 2 bbb3b ] 


5 


1024 



Proof. Without loss of generality, let C be an elliptic curve which the model 
does not appear in case a) and b) of Theorem 3.4. Let G be the divisor on C 
such that 

G = uiPi + • • • + u N P N . 
Concentrating on the worst case, we can assume that 

• we do not use derivative evaluation, that is ui = 1 for 1 < % < N, 

• we only use places of a fixed degree, that is deg(Pi) = . . . = dcg(PAr) = d\. 
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With these assumptions G = P\ + ■ ■ ■ + PB dl , where B dl denotes the number of 
places of degree d\. From Theorem 3.4, if C is one of the elliptic curve of case 
d) and deg(G) = diB^ > 2n, then 



3d! 



^c m (") < E<r( de S^) = B^lTidi)- (4) 

i=l 

From [34, Corollary 5.2.10] applied to elliptic curves, we know that verifies 

„di „di/2 di gdi/2 

TT - 9 V~ <B dl <y + 9^—. 
di d\ d\ di 



Asymptotically, B dl G O and then deg(G) G 0(q dl ). Let di be the 

smallest integer such that q dl > 2n, then g'' 1 " 1 < 2n and we have d\ G O (log g (2n)) . 
Thus 



and then 



Using recursively the process, we obtain 



<r(do e o 



where c?2 G O (log g (2di)) . With this procedure, we have 
with ^ G O (log 9 (2dj_i)) , for 1 < i < k, and consequently 
Let fc = log*(2n), then we have 



d k e O 



and thus 



Finally 



/ \ 

log 9 (log 9 (...(log g (2n))...)) 

' / 

\ k terms / 



< 1, 



G 0(n.(2g)^W) 



□ 
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Corollary 3.7. For any integer n such that n > 7 if q = 2, n > 4 if q = 3 

and n > 3 if q > 4, there exists a symmetric elliptic bilinear algorithm of type 
Theorem 2. 5 constructed from a curve of genus one and from an effective divisor 



G = uiPi H Vu N Pi 



N, 



on this curve, where the Pi are N pairwise distinct closed points, of degree 
degp = di, and the are strictly positive integers, such that 



M ^ m (n) € O (n • (2<z) lo s») 



Proof. The proof is similar to the proof of Theorem 3.6. Indeed, for a fixed genus 
g, the number Bd of places of degree d, as claimed in [34, Corollary 5.2.10], is 
such that 

d d/2 d d/2 

q --(2 + 7 9 )«- T <B d <'L + ( 2 + 7 9 ) ( L r . 

Thus, for each curve of genus g, Bd is asymptotically the same. Consequently, 
changing the model of the elliptic curve does not change the proof, and does 
not change asymptotically the bilinear complexity. □ 

Elliptic curves have already been used to bound the bilinear complexity of mul- 
tiplication (see for example the work of Shokrollahi [32], Ballet [4], and Chau- 
mine [18]). Recently, Couveignes and Lercier [19] proposed a multiplication 
algorithm for finite field extensions F q n , using normal elliptic bases. Their mul- 
tiplication tensor consists in 5 convolution products, 2 component-wise products, 
1 addition and 3 subtractions. Note that convolution products can be computed 
at the expense of O (n log n log | log(ra)|) operations in ¥ q . Asymptotically, the 
tensor they produce is not competitive with ours from the point of view of 
bilinear complexity. 



3.3 Complexity of the construction 

Studies on bilinear complexity are well advanced, however we do not know a 
single polynomial construction of bilinear multiplication algorithm with linear 
or quasi-linear multiplicative complexity. In the case of bilinear multiplication 
algorithm with linear multiplicative complexity, namely the case of the usual 
strategy based upon the construction with growing genus, we cannot give infor- 
mation about the complexity of construction. Indeed, it is completely unclear 
how to construct explicitely points of high degree [33, Section 4, Remarks 5[. 
However, using the new strategy with elliptic curves, we show that we can poly- 
nomially construct symmetric elliptic bilinear multiplication algorithms with 
quasi-linear multiplicative complexity. 

Lemma 3.8. Let E be an elliptic curve defined over F g and let F/¥ q be the 
associated elliptic function field. Then we can construct a degree n place of F/¥ q 
in time polynomial in n. 



18 



Proof. In order to construct a degree n place Q of the elliptic function field 
F/W q , firstly we have to construct a rational point = (xg*,ygs) of E defined 
over ¥ qn and then, we need to apply to the point n-times the Frobenius map 
if defined by 

<p: E(¥ q n) — > E(¥ qn ) 
(x,y) .— > (afl,y*). 

Thus the orbit of & obtained under the action of (p is a degree n place. In 2006, 
Shallue and Van De Woestijne [31] gave a deterministic polynomial-time algo- 
rithm that computes a nontrivial rational point given a Weierstrass equation for 
the elliptic curve. More precisely, they performed the computation of a nontriv- 
ial rational point on an elliptic curve E defined over ¥ q in time polynomial in 
\og(q). It follows that & can be constructed in time polynomial in log(g"), and 
thus in time polynomial in n since q is fixed. The action of the Frobenius map 
ip on the point is simply a modular exponentiation that can be done poly- 
nomially. Consenquently, constructing a degree n place of an elliptic function 
field can be done in time polynomial in n. □ 

Theorem 3.9. Given an elliptic curve E defined over¥ q , one can polynomially 
construct a sequence srf q ^ n of symmetric elliptic bilinear multiplication algorithms 
in finite fields ¥ q n for the given sequence n — > +oo such that 

<sK,«) e O (n(2q/Kr°*W) , 

where K — 2/3 if the characteristic of ¥ q is 2 or 3, and K = 5/8 otherwise. 

Proof. Let F/¥ q be the elliptic function field associated to the curve E. Accord- 
ing to the proof of Theorem 3.6, to construct a symmetric elliptic multiplication 
algorithm in ¥ q n over ¥ q , we first have to construct places and divisor of certain 
degree. Indeed, we need to construct 

• a place Q of degree n of F/¥ q , 

• a divisor D of degree n of F/¥ q , 

• a sufficient number N of degree d places of F/¥ q , such that the degree of 
the divisor G formed by these N places, is greater or equal to 2n. 

The divisor D and the place Q are equivalent in terms of construction (in prac- 
tice we can take any place to construct a divisor [3]), so their complexities of 
construction are similar and from Lemma 3.8 this complexity is in time poly- 
nomial in n. The point now is to construct sufficiently places of degree d of 
F/W q . To achieve this, from lemma 3.8 it suffices to construct rational points 
of the curve E over ¥ q d. Icart [23] shows that it is possible to construct de- 
terministically, a constant proportion K of the number of rational points of an 
elliptic curve defined over ¥ q . More precisely, his method allows us to con- 
struct K — 5/8 of the number of rational points in time polynomial in log 3 (g). 
Note that if the characteristic of ¥ q is 2 or 3, Farashi et al [21] proved that 
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K = 2/3. This implies that asymptotically, we can construct in time polyno- 
mial in log 3 (g rf ), a sufficient number of places of degree d of F/¥ q by choosing d 
such that q d > 2n/K. Finally, the complexity of construction of places of degree 
d is polynomial in log 3 (n), thus polynomial in n. In conclusion, we can poly- 
nomially construct symmetric elliptic billinear multiplication algorithms since 
for a given divisor D, construct vector spaces Jf(D), Jf(2D), associated ba- 
sis 3§d, and evaluation maps Evq, Evp can be done polynomially [33, 
Section 4, Remarks] (cf. also [35, p. 509, Remark 4.3.33]). □ 

Remark 3.10. This complexity can indeed be refined. We plan to study in 
detail this problem in a forthcoming work. 

4 Upper Bounds and Example of construction 

Using our strategy, we propose in this section: 

• upper bounds of symmetric bilinear complexity for large extension of finite 
fields F 2 and F 3 , and 

• an example of a multiplication algorithm construction. 

In order to obtain the best bounds of symmetric bilinear complexity, we use our 
Theorem 3.4 not with bounds fi^ 1 (deg Pi, ui) derivated from the same elliptic 
curve C, but with the better known bounds for ^ g (deg Pi, u,) as in Theorem 3.2. 
Moreover, for a fixed n, to obtain the best bounds of symmetric bilinear com- 
plexity, we need to find the best curve of genus one and thus we compute, not 
l/q™(n) but /j, s q v ™(n). We note throughout the rest of the paper fi q ym (n) instead 

r sym r \ 

of/V («)• 

4.1 New Bounds 

In elliptic curve cryptography, the NIST suggests to use finite fields with 2 163 , 2 233 , 
2 283 , 2 409 and 2 571 elements [28]. Randriambololona in [29] obtained the follow- 
ing bound 

M f m (163) < 910. 

We improve this bound 

M f m (163) < 906. 

In order to upgrade [i^ m ^Y%?>), we seek out of the curves given in Theorem 
3.4, the one which provides the lowest bilinear complexity. Using only higher 
multiplicity with degree one and degree two places, the best curve turns out to 
be y 2 + y + x 3 = 0. This curve has 3 points of degree 1, and the lowest bilinear 
complexity is obtained with the divisor G of degree 2.163 defined as follows: 
we take all 3 points of degree 1 with multiplicity 4, all 3 points of degree 2 with 
multiplicity 2, and all 2 points of degree 3, all 6 points of degree 5, all 11 points 
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of degree 6 and 25 points of degree 8, all with multiplicity 1. Then the degree 
of G is 



degG = 3.1.4 + 3.2.2 + 2.3.1 + 6.5.1 + 11.6.1 + 25.8.1 = 326 = 2.163. 

From Theorem 3.4 used with the best known bounds for fi q (dcgPi, Ui) and val- 
ues of Table 1 we obtain 

^""(163) < 3.^(1, 4) + 3./i 2 (2, 2) + 2./i 2 (3, 1) + 6./i 2 (5, 1) + ll./i 2 (6, 1) + 25.^(8, 1) 

< 3.M 2 (4) + 3.m 2 (2)M 2 (2) + 2./i 2 (3) + 6.^(5) + ll./x 2 (6) + 25.^ 2 (8) 

< 3.8 + 3.3.3 + 2.6 + 6.13 + 11.15 + 25.24 
M f m (163) < 906. 

Table 3 (respectively Table 4) represents optimal bounds for /j,2 Vm (n) (respec- 
tively A t 3 ym ( n )) and the size of extension for F 2 is in accordance with the NIST 
for elliptic curve cryptography. The column TV represents the number of places 
of arbitrary degrees used to obtain the optimal bound, and column U, the as- 
sociated order for derivative evaluation. As example, for n = 233, we obtain 
the lower bound 1340 using the elliptic curve (up to isomorphism) defined by 
y 2 + xy = x 3 + 1. This lower bound is achieved with N = [4, 2, 0, 2, 8, 8, 10, 34] 
and U = [5, 2, 1,1, 1,1, 1,1], meaning that we use 4 degree one places with mul- 
tiplicity u\ equals 5, 2 degree two places with multiplicity m 2 equals 2 and the 
remainder with multiplicity 1. 



Table 3: Optimal bounds for /i2 ym (n). 



n 


SI/ 771 / \ 


Elliptic Curve 


N 


U 


163 


906 


y z + y + x A = 


[3,3,2,0,6,11,0,25] 


[4,2,1,1,1,1,1,1] 


233 


1340 


y' 2 + xy + x A + 1 = 


[4,2,0,2,8,8,10,34] 


[5,2,1,1,1,1,1,1] 


283 


1668 


y 2 + xy + x [i + 1 = 


[4,2,0,2,8,8,14,34,8] 


[5,2,1,1,1,1,1,1,1] 


409 


2495 


y 2 + xy + x A + 1 = 


[4,2,0,2,8,8,16,34,0,31] 


[5,2,1,1,1,1,1,1,1,1] 


571 


3566 


y 2 + xy + x A + 1 = 


[4,2,0,2,8,8,16,34,2,62] 


[5,1,1,1,1,1,1,1,1,1] 



Table 4: Optimal bounds for ^ m {n). 



n 


sym i \ 

H \ n ) 


Elliptic Curve 


N 


U 


57 


234 


y 2 + 2x A + 2x 2 + 1 = 


[3,6,11,15] 


[3,1,1,1] 


97 


426 


y 2 + 2x 3 + 2x 2 + 1 = 


[3,6,11,15,16] 


[3,1,1,1,1] 


150 


681 


y 2 + 2x s + 2x 2 + 1 = 


[3,6,11,14,38] 


[3,1,1,1,1] 


200 


925 


y 2 + 2x A + x 2 + 1 = 


[2,5,12,21,47,5] 


[3,1,1,1,1,1] 


400 


1926 


y 2 + 2x A + x 2 + 1 = 


[2,5,12,21,47,72] 


[2,1,1,1,1,1] 
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4.2 Effective multiplication algorithm in F357 



In this section, we choose to present the construction of the multiplication al- 
gorithm in F357 with 234 bilinear multiplications, using elliptic curves, points of 
higher degree and higher multiplicity. 



4.2.1 Method 

Let a and j3 be two elements of F357. Since there exists a point Q of degree 
57, the residue class field Oq/Q is isomorphic to F357 and we can consider that 
both elements are in Oq/Q. Furthermore, there exists a divisor D such that 
the evaluation map 

Ev Q : Jgf(Z>) — ► ^ 

/ f(Q) 

is surjective. Hence there exist two functions f a , fp G -&(D) such that 
EvQ(f a ) = a, and Evq(J^) = (3. Finally, to obtain the product a. (3, we com- 
pute EvQ(fa.fp) = a./3. At this step, we have to construct the only / 7 6 S£ (213) 
such that fa-fp = fy The unicity of / 7 comes from the injectivity of the second 

evaluation map Ev-p. Consider f a = Xa=i a i/i; //3 = X)i=i ^ifi an d ^ 
the product of f a and fp given by the relation 



57 \ / 57 \ 114 



M 



where M and C are the matrix representation of the relation (5). 



4.2.2 Choice of the degree of places 

For a fixed n, it is not clear how to find the maximal degree of places to use, 
but in elliptic case it is easy to perform it. From the proof of Theorem 3.6, the 
maximal degree d of places must verify q d > 2n, so d equals 5 for n = 57. 



4.2.3 Choice of the Curve 

Let Pj denotes the set of places of degree j and Pj [ k } be the k th places of degree 
j. In order to find the suitable curve, one just have to execute the procedure 
below for each curve of Theorem 3.4: 

1. construct the associated elliptic function field, 

2. determine all places of degree 1,2,3, 4 and 5, 

3. find all combinations of the divisor G = u±P± + ■ ■ ■ + u^Pn with the 
appropriate degree, 
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4. for each combination, compute $2 i=1 M<?(deg Pi, u,) and store the lowest 
bilinear complexity. 

Note that supersingular curves can be used with no danger since we only use 
points for interpolation. Results of the previous procedure are collected in Ta- 
ble 5. 



Table 5: Choice of the curve for /if™ (57). 



Equation 


N 


U 


/4F(57) 


C 


= y 2 + 2x 3 + 2x 2 + 2 = 


[6,3,4,21,0] 


[2,1,1,1,1] 


240 


C 


= y 2 + 2x 3 + x 2 + 1 = 


[2,5,12,15,1] 


[2,1,1,1,1] 


240 


C 


= y 2 + 2x 3 + x 2 + 2 = 


[5,5,5,15,3] 


[3,1,1,1,1] 


241 


C 


= y 2 + 2x 3 + 2x 2 + 1 = 


[3,6,11,15,0] 


[3,1,1,1,1] 


234 


C 


= y 2 + 2x 3 + 2x = 


[4,6,8,9,6] 


[3,1,1,1,1] 


239 


C 


= y 2 + 2x 3 + x + 2 = 


[7,0,7,18,0] 


[3,1,1,1,1] 


239 


C 


= y 2 + 2x 3 + x + 1 = 


[1,3,9,19,1]] 


[3,1,1,1,1] 


251 



From Table 5, the suitable curve, up to isomorphism, is 

E : y 2 + 2x 3 + 2x 2 + 1 = 0, 

and the divisor G is constructed as follows: we take all 3 points of degree 1 with 
multiplicity 3, and then we take all 6 points of degree 2, all 11 points of degree 
3, and all 15 points of degree 4, all with multiplicity 1. It must be verified that 
G has degree 

degG = 3.1.3 + 6.2.1 + 11.3.1 + 15.4.1 = 114 = 2 • 57. 
Using values of Table 1 we obtain 

^"(57) < 3.At 3 (l, 3) + 6.^,(2, 1) + 11.^(3, 1) + 15.^(4, 1) 

< 3.M 3 (3) + 6.^3(2) + 11.03(3) + 15.03(4) 
M f m (57) < 234. 

4.2.4 Place Q and Divisor D 

In the following, we use the notation of magma [12] for the representation of 
places and divisors. In order to construct F357 we choose the place Q defined by 

Q := (x 57 + x 56 + 2x 54 + 2a; 53 + 2a; 51 + 2a; 50 + 2a; 49 + x 48 + a; 46 + a; 43 + 2x 42 + 
2a; 41 + 2.x 39 + 2x 38 + 2x 37 + 2x 36 + x 35 + 2x 32 + 2x 29 + x 28 + x 27 + 2x 26 + x 25 + 
x 2i + 2x 23 + 2x 21 + 2x 20 + x 19 + x ls + 2x 15 + x u + 2x 13 + x 10 + 2x s + x 7 + x 6 + 
2x 5 + x 4 + x 3 + 2x 2 + x + 2, z + 2x 56 + x 55 + x 5i + x 53 + x 52 + 2x 50 + 2x 49 + 
a; 48 + 2x 47 + 2x 45 + 2x 43 + 2x i2 + 2x 41 + 2x 38 + 2x 37 + 2x 36 + 2x 35 + x 3i + x 33 + 
x 32 + 2x 31 + 2x 29 + x 2S + 2x 25 + 2x 2i + x 23 + 2x 22 + 2x 20 + x 19 + 2x 18 + x 17 + 
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x 15 + 2x 13 + 2x 12 + x 11 + x 10 + x a + x 6 + 2x 5 + x 2 + 2x + 1), 
and we choose the following divisor S> such that 

<3 = (x 57 + x 55 + x 53 + x 48 + x 46 + 2x 45 + 2x 43 + 2.x 42 + x 4a + 2x 36 + x 35 + x 34 + 
x 33 + x 32 + x 29 + 2x 27 + x 2e + 2x 24 + 2x 23 + 2x 21 + 2x 18 + 2x 17 + x 16 + 2x 13 + 
x 12 + 2x w + 2x 9 + x s + 2x 7 + 2x e + 2x 3 + 2x 2 + x + 2, z + x 56 + 2x 55 + a; 54 + x 53 + 
2x 52 + x 51 + x 50 + 2x 49 + x 48 + 2x 47 + 2.x 46 + 2a; 45 + x 43 + 2x 42 + 2x 41 + 2x 39 + 

x 38 + x 37 + x 36 + 2a ,35 + 2a; 34 + ^32 + 2x 30 + 2x ™ + 2 X 2S + X 27 + X 26 + X 25 + 

x 24 +x 21 +x 20 + 2x 17 +x 16 +x 13 + 2x 12 +x w +x 9 +x s +2x 7 +2x 6 + 2x 5 +x 4 + 2x 2 ). 
to construct 8$ = {/i, . . . , /114} the basis of Jzf (25?) containing a basis of Jz? 
4.2.5 Interpolation Phase 

In order to construct the effective algorithm of multiplication in F357, namely 
explicit formulas for bilinear multiplications, we have to evaluate the relation 
(5) at all points chosen to obtain the bound 234. We classify the interpolation 
phase starting with places used with derivative evaluation u > 1, and we finish 
by the ones used with no derivative evaluation. 

• Derivative Evaluation 

Remember that the higher multiplicity u — 3, occurs only with places of 
degree 1. This means that we use the local expansion at order 3 for all 
points of degree 1, hence for any function /j of the basis J? we have 

fi(Pi[k}) = a i>0 + a it it k + cti^tk 2 , (6) 

where 01% j is an element of F3, and t k is the local parameter for Pi[fc]. 
Evaluating the relation (5) at points of degree 1 leads to 

(57 \ / 57 \ 114 

j2*ifi(Pii &]) • E^( p i[ k i) = E c ^( p it k ])> ( ? ) 
i=l ) \i=l ) i=l 

where k G [1, . . . ,3], Oj, bi, and Ci £ ¥3. Substituting expression (6) in 
equation (7) allows us to write 



(A + Ait k + A 2 t k 2 ) . (B + B x t k + B 2 t k 2 ) =C + C x t k + C 2 t k 2 , (8) 
where 

57 57 114 

A e — E a i a i,d Bj = b % a t j and Cj = Qa^. 

The quantity (8) is exactly the complexity of 3-multiplication of two 3- 
term polynomials of F 3 de g p ± [tk] . We have M^S) = 5, meaning that to 
obtain the three first coefficients of the product, we need the 5 bilinear 
multiplications in F 3 dc g p 1 



24 



mi = Aq.Bq, 

m 2 = Ai.B 1} 

m 3 = A 2 .B 2l 

m 4 = {Aq + A 1 ).{B q + B 1 ), 

m 5 = (A + A 2 ).(B +B 2 ). 

Remember, if we use derivative evaluation with places of degree more than 
one, we should have 5 bilinear multiplications in F 3 d CE p, and finally we 
should add /^(deg-P) the bilinear complexity of multiplication in F 3 dc g j>. 
This being said, for our example we use all 3 points of degree 1 with 
multiplicity 3, so we obtain 15 bilinear multiplications, which matrix rep- 
resentation is 



III 1 


\ 


/ d 


\ 


rrii — mi — m 2 




c 2 




m 5 ~ m 3 — m l + m 2 




c 3 




m 6 




c 4 




mg — me — n%i 




= c 5 




mio — mg — rriQ + mj 




c e 




mn 




c 7 




mu - mn - «ii2 




C 8 




mxs - wi3 - mn + mia 


/ 


V ^9 


/ 



For places of higher degree, we use all of them with multiplicity 1, thus 
with no derivative evaluation. 



• No Derivative Evaluation 



Evaluating the relation (5) at points of degree dcgP,- leads to 

(57 \ / 57 \ 114 

]T *]) . £ hMPA * ]) = E c ^ p ^ k ( 9 ) 
i=l / \i=l ) i=l 

For any function /j of the basis fi(Pj[ k ]) is an element of the finite 
field F 3 dog Pj in which a representation is 



< Pj[ k ] >' 



If the set {1, twjt, . . . , 1 } denotes a basis of F 3 do g p j , then there exist j 
elements, Si.o, Si i, . . . , of F 3 such that 

/i(Pj[ fc ]) = Sl , ^ + Si.itoJ + • • • + Sij-xW^' 1 . (10) 
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Equation (10) allows us to rewrite relation (9) as 



E A ew A . (e w = ( E > ( n ) 

^=0 / \i=0 / \f=0 / 



where 



57 57 114 

-4e = E °« s Mi ^ = E ^ s «v*' an( ^ ^ = E c * s »i<- 

2=1 i=l i=l 

One can easily identify expression (11) as the multiplication of two ele- 
ments of FgdogPj over F 3 . The bilinear complexity of multiplication is, in 
the case of interpolation at places with no derivative evaluation, /x 3 (deg P). 

— When degP = 2 equation (11) becomes 

(E^w) • (E w) = (e c * w A > 

V=0 / V=0 / \£=0 / 

and this expression is the multiplication of two elements of F32 over 
F3 which bilinear complexity ^3(2) equals 3. It means that to obtain 
coefficients Co,C\, one need three bilinear multiplications, obtained 
with Karatsuba algorithm and defined by 

mi = A .B , 
m 2 = At.Bi, 
m 3 = (A + A 1 ).(B + Bx). 



— For degrees 3 places, we have ^3(3) = 6 where the 6 multiplications 
needed are 



mi = 


Aq.Bq, 






m 2 = 


A x .B t , 






m 3 = 


A 2 -B 2 , 






m 4 = 


(A + Ax) 


■(B - 




m 5 = 


(A + A 2 ) 


■(B - 


\-B 2 ), 


m 6 = 


{A 1 + A 2 ) 


.{B X - 


hB 2 ). 



— Finally for degrees 4 places where 3(4) = 9, with 
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mi = 


Aq.Bq, 






m 2 = 








m 3 = 


A 2 .B 2 , 






mi = 


A 3 .B 3 , 






m 5 = 


(Ao + At) 


■ (B 


+ Bi), 


m 6 = 


(A + A 2 ) 


■(Bq 


+ B 2 ), 


mi = 


(A 2 + A 3 ) 


■ {B 2 


+ B a ), 


m s = 


(A 1 +A 3 ) 


• (Si 


+ B 3 ), 


m 9 = 


(Aq + Ai 


+ A 2 


+ A 3 ).{B 



4.2.6 Evaluation at Place Q 

In order to complete the multiplication algorithm, we have to reconstruct / 7 
and then evaluate it at the chosen place Q. The final matrix representation of 
the interpolation relation is 



mi 

7TI4 — mi — Tni 
m 5 — m 3 — mi + m 2 
me 

mg — m$ — m-[ 
miQ — mg — me + 7717 
mn 

mi4 - mn - mi2 
mi 5 - mi3 - mn + m X2 



( 11101101.. 
01001110.. 
21201101 . . 
21201101 . . 
11201011 . . 
11201110.. 
01201101.. 
11201001.. 



: 21201110... 01020011 

\ mi + • • • + 2m 23 o ~ ^231 + "1234 / \ 01201111 ... 01020011 / V c lu J 

V V 



.01020010 \ 
.10200110 
.01020022 
.10221122 
.02021010 
.11020011 
.01020112 
.01020211 



C 



Since G is invertible, we have G .M — (ci, . . . ,cm) and then / 7 the only 
function of Jz?(2f!F) such that f a -fp = f<y is defined by 

ft = ci/i H h C114/114. 

Recall that to obtain the product a.f3 we just have to evaluate / 7 at the place 
Q so 

a.0 = MQ) = ci/i(Q) + • • • + cu 4 / U4 (Q). 
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4.2.7 Reconstruction of / 7 in jSf(^) 

To complete the algorithm, we must find coefficients q for i [1..57] such that 

(57 \ / 57 \ 57 

i=l / \i=l / t=l 

Let 

ei = /i(Q), 

e57 = hriQ), 

eiu = /lX4(Q). 

With these notations we have 

ACQ) = c l e l "I 1" C 57C57 + C58e58 H 1" Cll4eil4- 

Vectors (ei, . . . , 657) form a basis of F357 as . . . , ^57) is a basis of jSf(^), 
then to find coefficients ci for i e [1--57], it is sufficient to express vectors 
(ess, . . . , en4) according to (ei, . . . , 657). This leads to 

ess = c-i + 2e 2 H he 57 , 

en4 = 2ei + e 2 H h 2 57 , 

and bringing together terms in (ei, . . . , 657), we finally get 

/ 7 (<3) = (ci + c 58 H h c U4 ) e x H h (c 57 H h 2cu 4 ) e 57 . 



Explicit formulas can be found at the following address 

http:/ /eriscs. esil.univmed.fr/dotclear/public/res/mtukumuli/FE.pdf. 
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